General
-
Target
JaffaCakes118_3527fbbb084d6e6150f90d9b0eb777d2
-
Size
602KB
-
Sample
250126-nrt8nszqay
-
MD5
3527fbbb084d6e6150f90d9b0eb777d2
-
SHA1
ffa14990ffb0304a1c709a91f19e31d29a651e5b
-
SHA256
e1169a09276e4ffbe0dc85e67145f43f69ee07ce8f8ca08455f4e86732da1c5d
-
SHA512
74172e1bc61847c3b805711d96d656c6023ee2136085be6a9c05023019973feb95fc70b55080c3ed0171c3cdf9bcd0493dc6ded6bf16252b2f6619804aaafabe
-
SSDEEP
12288:o3TdtLW5WIj1YSSdFxsBSXyMzBUWb9lx/9AgHLo8OW+rBj:CDsj1dEcBcJ9nPx/igrp+1
Malware Config
Targets
-
-
Target
JaffaCakes118_3527fbbb084d6e6150f90d9b0eb777d2
-
Size
602KB
-
MD5
3527fbbb084d6e6150f90d9b0eb777d2
-
SHA1
ffa14990ffb0304a1c709a91f19e31d29a651e5b
-
SHA256
e1169a09276e4ffbe0dc85e67145f43f69ee07ce8f8ca08455f4e86732da1c5d
-
SHA512
74172e1bc61847c3b805711d96d656c6023ee2136085be6a9c05023019973feb95fc70b55080c3ed0171c3cdf9bcd0493dc6ded6bf16252b2f6619804aaafabe
-
SSDEEP
12288:o3TdtLW5WIj1YSSdFxsBSXyMzBUWb9lx/9AgHLo8OW+rBj:CDsj1dEcBcJ9nPx/igrp+1
Score10/10-
Ardamax
A keylogger first seen in 2013.
-
Ardamax family
-
Ardamax main executable
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1